Last week, an eCompareMo employee received an email with a subject: “Account Deactivation Notice.” The header states that the email was sent by “BPI Main Office” using the email address email@example.com.
According to the email, their account is “on hold” until they “verify their card information for security.” Below is a screenshot of the email:
To the unsuspecting eye, the email looks legit and trustworthy; after all, it seemingly has all the elements of “legitimate” email: the bank name and logo, a banner image, and a link to their customer support email.
But one thing made us conclude that it is indeed an attempt to phish sensitive banking information from unsuspecting users: the recipient doesn’t have a BPI account.
Signs to look out for
Phishing has been around ever since the internet made online banking possible—and criminals are becoming savvier and more sophisticated in collecting information from unknowing users.
Here, let us dissect the elements of a phishing email. Know one when you see one, and protect yourself from online con men:
1. The sender looks suspicious
The name of the email may say BPI Main Office, but the email address says firstname.lastname@example.org. In case you missed it, BPI’s official website doesn’t use the .org top-level domain.
The official website of BPI is https://www.bpiexpressonline.com, and if ever you use bpi.com.ph on your browser, you’ll be redirected to the former.
Opening bpi.org.ph will take you to a parked domain, and the page displays nothing but a few snippets of text.
2. The body is badly written
Companies know that a simple email can make or break customer confidence, and BPI is definitely aware of this.
Proper capitalization, simple subject-verb agreement, and proper use of punctuation marks—these are all important in conveying a clear message to customers.
Unfortunately, the phishing email we received is far from convincing, with grammatical errors such as “Greeting Our Valued BPI Customer,” odd capitalization of words, and the misuse of punctuation marks.
Some people may not pay close attention to these fine details, but most of the time, these are the most recognizable traits of phishing emails.
3. The “verification” link leads to a suspicious website
To successfully phish information from account owners, scammers set up an elaborate website that leads to a form capture page. This is where the victim is supposed to key in sensitive information such as full name, account number, PIN, and other private details.
In this instance, the “go to verification link” leads to a URL shortener, a technique used to by online cyber-criminals to mask their phishing websites.
This allows them to evade security filters and trick their victims into clicking by hiding the entire URL.
After loading the shortened link, we were welcomed by a “404 warning,” which means that the landing page for the phishing attempt is no longer valid. However, looking closely at the URL says that it’s just a directory of another website.
Loading the main page took us to a website of a certain Rotary Club in India. While the veracity of this website has not been verified, it is instrumental in trying to con unsuspecting people.
Don’t take the bait
In 2015, the Bangko Sentral ng Pilipinas (BSP) warned the public about the dangers of phishing.
BSP reminds that criminals who successfully get your details will allow them to do a wide variety of things, such as withdrawing your money or purchasing goods without your permission–or, worse, use your identity to conduct illegal activities which can be traced back to your name.
Here are BSP’s tips on how to avoid becoming a victim of phishing scams:
- Scammers may use official-looking logos and other identifying information from a financial institution or a legitimate organization.
- Phishing may be done in various methods other than email, such as text messages, chat rooms, electronic fake banner advertisements or message boards, fake mailing lists, fake job search sites and job offers, and fake browser toolbars.
- To avoid being victimized by phishing scams, do not reply to suspicious emails. Ignore and delete the message. Do not click any link in a suspicious message. Do not give personal and financial information requested through email.
- Instead, call your bank and send a letter to verify if such email request is real. If you think you have given out information to a phisher, report the incident immediately to the company.
- Legitimate online banking websites use Secure Socket Layer (SSL) to encrypt information between the server and the browser. These SSL-secured websites use https (“s” for secure) instead of the regular http.
- You can check this by looking for the green lock icon beside your browser’s address bar. In addition, the SSL certificate will verify that the website is indeed connected to a legitimate website.
Despite the new measures employed by banks to protect their clients, criminals are still finding ways to exploit the people’s weaknesses and turn them into profit. Become more vigilant against their MOs and keep their hands off your bank account, money, and most importantly, identity.